Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The example debezium-openshift is Vulnerability to XSS #5328

Closed
808Mak1r opened this issue Oct 10, 2024 · 1 comment
Closed

The example debezium-openshift is Vulnerability to XSS #5328

808Mak1r opened this issue Oct 10, 2024 · 1 comment
Labels
area/storage

Comments

@808Mak1r
Copy link

Description

Registry Version: latest
Persistence type:

Environment

Steps to Reproduce

  1. The code path is https://github.com/Apicurio/apicurio-registry/blob/7439fd5ef88761399e3e68049ba08488d463a908/examples/debezium-openshift/src/ main/java/io/apicurio/example/debezium/rest/Api.java#L23-L23 The command at L23-L23 is user controlled.
  2. The code path is https://github.com/Apicurio/apicurio-registry/blob/7439fd5ef88761399e3e68049ba08488d463a908/examples/debezium-openshift/src/ main/java/io/apicurio/example/debezium/rest/Api.java#L33-L33 where the user-controllable commands are directly spliced and returned without processing.
    @POST
    @Path("/command")
    public String command(String command) {
        log.info("Command received: {}", command);
        switch (command) {
            case "start":
                runner.setEnabled(true);
                return "OK";
            case "stop":
                runner.setEnabled(false);
                return "OK";
            default:
                return "Unknown command: " + command;
        }
    }
}

The potential problem here is the command parameter, which can cause XSS attacks if this parameter contains malicious JavaScript code and the API's response content is rendered directly in the HTML page without proper escaping or filtering. For example, if the value of the command parameter is “<script>alert(‘XSS’)</script>” and the returned Unknown command: <script>alert('XSS')</script> is inserted directly into the HTML, the browser will execute this script.

Fix

To ensure the security of your code, you can escape user input before returning it. Here is an example of escaping using the Apache Commons Text library:

import org.apache.commons.text.StringEscapeUtils;

public String command(String command) {
    log.info("Command received: {}", command);
    switch (command) {
        case "start":
            runner.setEnabled(true);
            return "OK";
        case "stop":
            runner.setEnabled(false);
            return "OK";
        default:
            return "Unknown command: " + StringEscapeUtils.escapeHtml4(command);
    }
}

This approach escapes special characters in user input as HTML entities, preventing the execution of malicious scripts on HTML pages.
Additionally, it is highly recommended to take precautions on both the front-end and back-end, including:

  • Validating and cleaning input on the back-end.
  • Encoding output on the front-end.
  • Use security policies such as CSP.

Expected vs Actual Behaviour

Logs
@carlesarnal
Copy link
Member

As it's own name says, this is just an example, so opening a vulnerability issue about it does not seems reasonable. As a result, I'm closing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/storage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carlesarnal @808Mak1r